Cloud Infrastructure Misconfigurations Still Plague Industry, Security Study Affirms

 In Infrastructure


Cloud Infrastructure Misconfigurations Still Plague Industry, Security Study Affirms

Over the past sev­er­al years, user mis­con­fig­u­ra­tions of cloud stor­age infra­struc­ture set­tings have led to a spate of high-pro­file secu­ri­ty vul­ner­a­bil­i­ties, and a new study shows the prob­lem per­sists despite height­ened vis­i­bil­i­ty of the prob­lem and copi­ous reme­di­a­tion guid­ance.

Perhaps nowhere is the mis­con­fig­u­ra­tion prob­lem more appar­ent than in the highly pub­li­cized string of data breach­es and secu­ri­ty vul­ner­a­bil­i­ties asso­ci­at­ed with Amazon Web Services (AWS) S3 stor­age buck­ets over the past sev­er­al years, though other cloud providers have also been affect­ed.

And, while the pace of dis­cov­ered AWS vul­ner­a­bil­i­ties has seem­ing­ly slowed some­what, S3 mis­con­fig­u­ra­tions are still a prob­lem, said DevSecOps spe­cial­ist Accurics in pub­li­ciz­ing its new report on risks and best prac­tices.

“The recent breach attempt on Twilio was an indi­ca­tor that attack­ers are craft­ing new ways to attack the cloud,” Accurics said in a an August 4 blog post announc­ing the study results. “While a mis­con­fig­ured cloud stor­age ser­vice (S3 bucket) was involved, this inci­dent was not about steal­ing sen­si­tive data. Instead, attack­ers gained access to the javascript code for their TaskRouter SDK that allows Twilio cus­tomers to inte­grate incom­ing phone call rout­ing. Since the cloud stor­age ser­vice was pub­licly writable, attack­ers mod­i­fied the code. Although the change was non-mali­cious, the sever­i­ty of the risk was a stark indi­ca­tor that breach­es are increas­ing in sophis­ti­ca­tion.”

The Summer 2020 edi­tion of the State of DevSecOps report ana­lyzed cloud native infra­struc­ture across hun­dreds of deploy­ments across Accurics cus­tomers and com­mu­ni­ty users.

“The research revealed that mis­con­fig­ured cloud stor­age ser­vices are com­mon­place in 93 per­cent of the cloud deploy­ments ana­lyzed, and most also had at least one net­work expo­sure where a secu­ri­ty group was left wide open,” Accurics said. “These issues have already con­tributed to more than 200 breach­es over the past two years. However, new policy vio­la­tions are start­ing to become com­mon­place such as stor­ing hard­cod­ed keys within envi­ron­ments — 72 per­cent of deploy­ments had this issue; this was a key factor in the Imperva breach in 2019.”

The reports lists the top three common threats plagu­ing cloud deploy­ments as:

  • Hardcoded keys with high priv­i­leges — 41 per­cent of respon­dents
  • Overly per­mis­sive Identity and Access Management (IAM) poli­cies — 89 per­cent
  • Misconfigured rout­ing rules — 100 per­cent

Another prob­lem, the report said, is that cloud risk pos­ture even­tu­al­ly drifts from a secure state, as almost all orga­ni­za­tions allow users to make cloud infra­struc­ture changes occur­ring in run­time. These changes, or drifts, have a high cor­re­la­tion between the type of drift/change and risks that create seri­ous expo­sures.

Top Cloud Infrastructure Drifts
[Click on image for larger view.] Top Cloud Infrastructure Drifts (source: Accurics).

“This implies that even if orga­ni­za­tions exer­cise strong secu­ri­ty hygiene when cloud native infra­struc­ture is ini­tial­ly defined, drifts in run­time will create expo­sures,” the report said.

Key take­aways from the report as listed by Accurics include:

  • The nature of cloud native infra­struc­ture demands that secu­ri­ty must be cod­i­fied into devel­op­ment pipelines and enforced through­out the life­cy­cle
  • Policy checks and breach path detec­tion should be cod­i­fied across Infrastructure as Code (IaC) to iden­ti­fy risks before cloud infra­struc­ture is pro­vi­sioned
  • Remediation must be cod­i­fied into the devel­op­ment pipelines in order to address the risks before cloud infra­struc­ture is pro­vi­sioned and estab­lish a secure base­line
  • Any new resources or con­fig­u­ra­tion drifts in run­time from the base­line defined through IaC should be assessed for risk

About the Author

David Ramel is an editor and writer for Converge360.

Virtualization & Cloud Review source|articles

Recommended Posts

Start typing and press Enter to search